International Data Transfer to Third Countries

Free flow of personal data is not restricted if data are transferred within the European Economic Area.

In its Decision 2000/518/EC, the European Commission considered that Switzerland provides an adequate level of protection for personal data transferred from the European Union.

Personal data may not be disclosed abroad if the privacy of the data subjects would be thereby seriously endangered, in particular due to the absence of legislation that guarantees adequate protection.

In the absence of legislation that guarantees adequate protection, personal data may be disclosed abroad only if:

  • sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad;
  • the data subject has consented in the specific case;
  • the processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party;
  • disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts;
  • disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject;
  • the data subject has made the data generally accessible and has not expressly prohibited its processing;
  • disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection.

The Federal Data Protection and Information Commissioner must be informed of the safeguards and the data protection rules. The Federal Council regulates the details of this duty to provide information.

The Binding Corporate Rules (BCRs) are recognised in Switzerland. The BCRs have to be notified to the DPA, but the approval is not necessary.

The US-Swiss Safe Harbor Framework is a set of rules that ensures an adequate level of protection of personal data and facilitates the transfer of data between the registered Swiss and American companies.

According to the DPA, the standard contract “Swiss Transborder Data Flow Agreement” and the standard contractual clauses of the European Union constitute sufficient guarantee to ensure an adequate level of protection in a third country.

Please visit:

Swiss Transborder Data Flow Agreement

https://www.admin.ch/opc/de/classified-compilation/20071670/index.html (german)

https://www.edoeb.admin.ch/dam/edoeb/de/dokumente/2017/03/die_datenuebermittlunginsauslandkurzerklaert.pdf.download.pdf/die_datenuebermittlunginsauslandkurzerklaert.pdf (german)

Binding Corporate Rules (BCRS)

The use of binding corporate rules is generally recognised by the DPA as a method for achieving an adequate level of data protection abroad. There are no specific formal requirements. No DPIC approval is required or possible (however, as mentioned in the foregoing section, the binding corporate rules have to be notified to the Swiss Federal Data Protection and Information Commissioner (DPIC). Under the revised DPA, it is expected that binding corporate rules have to be formally approved.

Exceptions Established by Law

The new Data Protection Act is limited only to natural persons and no longer, as in the old law, also to legal entities.